Encrypted AES VPN tunnel between pfSense 2.3 and Draytek 2830

For a long time now I’ve managed several VMware ESXi servers and for easy management I’ve created a local area network on each making backups, monitoring and the usual sysad tasks a breeze.

The icing on the cake is that I recently swapped from m0n0walll to pfSense and went about setting up a lan to lan VPN tunnel to my home network, so now I can access everything locally as if I was on the same network.

Home Network

My home network uses a Draytek 2830 connected to a Virgin Media Superhub. Unfortunatley the Draytek is getting on a little bit now and doesn’t have the processing power to deal with my 100mbit connection speed, so I’ve had to double NAT the network using the Superhub in router mode and then DMZ everything towards the Draytek.

This isn’t a bad thing though as all the “dumb” wireless devices (mobile phones, Roku’s, Nest thermostat, etc) connect direct to the Superhub whilst my home server and everything crucial connect via the Draytek. All in all I get 70mbit through the Draytek on average and there’s plenty of bandwidth left for the devices connected to the Superhub.

In the example below the home network subnet will be 192.168.100.x

Remote Network

The remote network is pretty simple, they are all setup the same apart from x is a different number based on the virtual host name – a pfSense machine sits at x.1 and deals with traffic to the local network.

In the example below the remote subnet will be 192.168.150.x

Important

Each local area network must be on a seperate subnet, otherwise things can quickly get messy and conflict!

Make sure you use a secure pre-shared key, anything above 32 characters will do nicely

The example details below are fake, replace them with your own details if you want this to work

Configuring pfSense

The guide below lists only the parts you need to change, if the option isn’t listed then leave it as is

Fairly straight forward, go to VPN > IPSec > Click Add P1

Enter the Remote Gateway as the WAN IP address of the Draytek (or the Superhub in my case)

Enter a brieft description in the Description box

If you are double NAT’d like me select Peer identifer as KeyID tag then enter the WAN2 address of Draytek else leave as Peer IP address

Enter your pre-shared key in the Pre-Shared Key box

Press Save

That’s your Phase 1 entry configured, now for Phase 2:

Go to VPN > IPSec > Click on Show Phase 2 Entries for Home

Enter Remote Network as the home network subnet – 192.168.100.0/24

Put a brief description in the Description box

Set PSF Key Group to 2

Press Save and then hit Apply Changes

Finally, we need to create a firewall rule to allow traffic to pass over the VPN:

Go to Firewall > Rules > IPSec and click Add

Change Protocol to any

Enter a brief description in the Description box

Press Save any hit Apply Changes

Configuring the Draytek

Now it is time to configure the Draytek – Go to VPN and Remote Access > LAN to LAN

For Common Settings:

Enter a Profile Name

Tick Enable this profile

Make sure Call Direction is set to Both

For Dial-Out Settings:

Set type of server to IPSec Tunnel

Enter the Remote WAN IP in the Server IP/Hostname for VPN box

Enter the pre-shared key set previously in the Pre-Shared Key box

For IPSec Security Method set it to High (ESP) – AES with Authentication

Under Advanced set IKE phase 1 propsal to AES256_SHa1-G14 and IKE phase 2 proposal to AES256_SHA1 then press OK